TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 14:37:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: user api requests to resource API (#9794)

Browse Source 
# Which Problems Are Solved

This pull request addresses a significant gap in the user service v2
API, which currently lacks methods for managing machine users.

# How the Problems Are Solved

This PR adds new API endpoints to the user service v2 to manage machine
users including their secret, keys and personal access tokens.
Additionally, there's now a CreateUser and UpdateUser endpoints which
allow to create either a human or machine user and update them. The
existing `CreateHumanUser` endpoint has been deprecated along the
corresponding management service endpoints. For details check the
additional context section.

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9349

## More details
- API changes: https://github.com/zitadel/zitadel/pull/9680
- Implementation: https://github.com/zitadel/zitadel/pull/9763
- Tests: https://github.com/zitadel/zitadel/pull/9771

## Follow-ups

- Metadata: support managing user metadata using resource API
https://github.com/zitadel/zitadel/pull/10005
- Machine token type: support managing the machine token type (migrate
to new enum with zero value unspecified?)

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Elio Bischof
2025-06-04 09:17:23 +02:00
committed by GitHub
parent e2a61a6002
commit 8fc11a7366
86 changed files with 7033 additions and 536 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
proto/buf.yaml
View File

@@ -40,4 +40,4 @@ lint:
- zitadel/system.proto
- zitadel/text.proto
- zitadel/user.proto
- zitadel/v1.proto
- zitadel/v1.proto

96
proto/zitadel/filter/v2/filter.proto Normal file
View File

@@ -0,0 +1,96 @@
syntax = "proto3";
package zitadel.filter.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/filter/v2;filter";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
enum TextFilterMethod {
TEXT_FILTER_METHOD_EQUALS = 0;
TEXT_FILTER_METHOD_EQUALS_IGNORE_CASE = 1;
TEXT_FILTER_METHOD_STARTS_WITH = 2;
TEXT_FILTER_METHOD_STARTS_WITH_IGNORE_CASE = 3;
TEXT_FILTER_METHOD_CONTAINS = 4;
TEXT_FILTER_METHOD_CONTAINS_IGNORE_CASE = 5;
TEXT_FILTER_METHOD_ENDS_WITH = 6;
TEXT_FILTER_METHOD_ENDS_WITH_IGNORE_CASE = 7;
}
enum ListFilterMethod {
LIST_FILTER_METHOD_IN = 0;
}
enum TimestampFilterMethod {
TIMESTAMP_FILTER_METHOD_EQUALS = 0;
TIMESTAMP_FILTER_METHOD_AFTER = 1;
TIMESTAMP_FILTER_METHOD_AFTER_OR_EQUALS = 2;
TIMESTAMP_FILTER_METHOD_BEFORE = 3;
TIMESTAMP_FILTER_METHOD_BEFORE_OR_EQUALS = 4;
}
message PaginationRequest {
// Starting point for retrieval, in combination of offset used to query a set list of objects.
uint64 offset = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "0";
}
];
// limit is the maximum amount of objects returned. The default is set to 100
// with a maximum of 1000 in the runtime configuration.
// If the limit exceeds the maximum configured ZITADEL will throw an error.
// If no limit is present the default is taken.
uint32 limit = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "10";
}
];
// Asc is the sorting order. If true the list is sorted ascending, if false
// the list is sorted descending. The default is descending.
bool asc = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "false";
}
];
}
message PaginationResponse {
// Absolute number of objects matching the query, regardless of applied limit.
uint64 total_result = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "100";
}
];
// Applied limit from query, defines maximum amount of objects per request, to compare if all objects are returned.
uint64 applied_limit = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "100";
}
];
}
message IDFilter {
// Only return resources that belong to this id.
string id = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"69629023906488337\"";
}
];
}
message TimestampFilter {
// Filter resources by timestamp.
google.protobuf.Timestamp timestamp = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// Defines the condition (e.g., equals, before, after) that the timestamp of the retrieved resources should match.
TimestampFilterMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}

36
proto/zitadel/filter/v2beta/filter.proto
View File

@@ -6,6 +6,7 @@ option go_package = "github.com/zitadel/zitadel/pkg/grpc/filter/v2beta;filter";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
enum TextFilterMethod {
TEXT_FILTER_METHOD_EQUALS = 0;
@@ -56,4 +57,37 @@ message PaginationResponse {
example: "\"100\"";
}
];
}
}
message IDFilter {
// Only return resources that belong to this id.
string id = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"69629023906488337\"";
}
];
}
message TimestampFilter {
// Filter resources by timestamp.
google.protobuf.Timestamp timestamp = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// Defines the condition (e.g., equals, before, after) that the timestamp of the retrieved resources should match.
TimestampFilterMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}
message InIDsFilter {
// Defines the ids to query for.
repeated string ids = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"69629023906488334\",\"69622366012355662\"]";
}
];
}

201
proto/zitadel/management.proto
View File

@@ -432,7 +432,11 @@ service ManagementService {
};
}
// Deprecated: use ImportHumanUser
// Create User (Human)
//
// Deprecated: use [ImportHumanUser](apis/resources/mgmt/management-service-import-human-user.api.mdx) instead.
//
// Create a new user with the type human. The newly created user will get an initialization email if either the email address is not marked as verified or no password is set. If a password is set the user will not be requested to set a new one on the first login.
rpc AddHumanUser(AddHumanUserRequest) returns (AddHumanUserResponse) {
option (google.api.http) = {
post: "/users/human"
@@ -444,10 +448,8 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Deprecated: Create User (Human)";
description: "Create a new user with the type human. The newly created user will get an initialization email if either the email address is not marked as verified or no password is set. If a password is set the user will not be requested to set a new one on the first login.\n\nDeprecated: use ImportHumanUser"
tags: "Users";
deprecated: true;
tags: "Users";
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -459,7 +461,11 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 AddHumanUser
// Create/Import User (Human)
//
// Deprecated: use [UpdateHumanUser](apis/resources/user_service_v2/user-service-update-human-user.api.mdx) instead.
//
// Create/import a new user with the type human. The newly created user will get an initialization email if either the email address is not marked as verified or no password is set. If a password is set the user will not be requested to set a new one on the first login.
rpc ImportHumanUser(ImportHumanUserRequest) returns (ImportHumanUserResponse) {
option (google.api.http) = {
post: "/users/human/_import"
@@ -471,11 +477,9 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create/Import User (Human)";
description: "Create/import a new user with the type human. The newly created user will get an initialization email if either the email address is not marked as verified or no password is set. If a password is set the user will not be requested to set a new one on the first login.\n\nDeprecated: please use user service v2 [AddHumanUser](apis/resources/user_service_v2/user-service-add-human-user.api.mdx)"
deprecated: true;
tags: "Users";
tags: "User Human"
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -487,6 +491,11 @@ service ManagementService {
};
}
// Create User (Machine)
//
// Deprecated: use [user service v2 CreateUser](apis/resources/user_service_v2/user-service-create-user.api.mdx) to create a user of type machine instead.
//
// Create a new user with the type machine for your API, service or device. These users are used for non-interactive authentication flows.
rpc AddMachineUser(AddMachineUserRequest) returns (AddMachineUserResponse) {
option (google.api.http) = {
post: "/users/machine"
@@ -498,8 +507,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create User (Machine)";
description: "Create a new user with the type machine for your API, service or device. These users are used for non-interactive authentication flows."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -683,7 +691,11 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 UpdateHumanUser
// Change user name
//
// Deprecated: use [user service v2 UpdateUser](apis/resources/user_service_v2/user-service-update-user.api.mdx) instead.
//
// Change the username of the user. Be aware that the user has to log in with the newly added username afterward
rpc UpdateUserName(UpdateUserNameRequest) returns (UpdateUserNameResponse) {
option (google.api.http) = {
put: "/users/{user_id}/username"
@@ -695,8 +707,6 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Change user name";
description: "Change the username of the user. Be aware that the user has to log in with the newly added username afterward.\n\nDeprecated: please use user service v2 UpdateHumanUser"
tags: "Users";
deprecated: true;
responses: {
@@ -903,7 +913,11 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 UpdateHumanUser
// Update User Profile (Human)
//
// Deprecated: use [user service v2 UpdateHumanUser](apis/resources/user_service_v2/user-service-update-human-user.api.mdx) instead.
//
// Update the profile information from a user. The profile includes basic information like first_name and last_name.
rpc UpdateHumanProfile(UpdateHumanProfileRequest) returns (UpdateHumanProfileResponse) {
option (google.api.http) = {
put: "/users/{user_id}/profile"
@@ -915,11 +929,9 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Update User Profile (Human)";
description: "Update the profile information from a user. The profile includes basic information like first_name and last_name.\n\nDeprecated: please use user service v2 UpdateHumanUser"
deprecated: true;
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -970,7 +982,11 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 SetEmail
// Update User Email (Human)
//
// Deprecated: use [user service v2 SetEmail](apis/resources/user_service_v2/user-service-set-email.api.mdx) instead.
//
// Change the email address of a user. If the state is set to not verified, the user will get a verification email.
rpc UpdateHumanEmail(UpdateHumanEmailRequest) returns (UpdateHumanEmailResponse) {
option (google.api.http) = {
put: "/users/{user_id}/email"
@@ -982,8 +998,6 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Update User Email (Human)";
description: "Change the email address of a user. If the state is set to not verified, the user will get a verification email.\n\nDeprecated: please use user service v2 SetEmail"
tags: "Users";
tags: "User Human";
deprecated: true;
@@ -1039,7 +1053,11 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ResendEmailCode
// Resend User Email Verification
//
// Deprecated: use [user service v2 ResendEmailCode](apis/resources/user_service_v2/user-service-resend-email-code.api.mdx) instead.
//
// Resend the email verification notification to the given email address of the user.
rpc ResendHumanEmailVerification(ResendHumanEmailVerificationRequest) returns (ResendHumanEmailVerificationResponse) {
option (google.api.http) = {
post: "/users/{user_id}/email/_resend_verification"
@@ -1051,8 +1069,6 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Resend User Email Verification";
description: "Resend the email verification notification to the given email address of the user.\n\nDeprecated: please use user service v2 ResendEmailCode"
tags: "Users";
tags: "User Human";
deprecated: true;
@@ -1106,7 +1122,11 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 SetPhone
// Update User Phone (Human)
//
// Deprecated: use [user service v2 SetPhone](apis/resources/user_service_v2/user-service-update-user.api.mdx) instead.
//
// Change the phone number of a user. If the state is set to not verified, the user will get an SMS to verify (if a notification provider is configured). The phone number is only for informational purposes and to send messages, not for Authentication (2FA).
rpc UpdateHumanPhone(UpdateHumanPhoneRequest) returns (UpdateHumanPhoneResponse) {
option (google.api.http) = {
put: "/users/{user_id}/phone"
@@ -1118,8 +1138,6 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Update User Phone (Human)";
description: "Change the phone number of a user. If the state is set to not verified, the user will get an SMS to verify (if a notification provider is configured). The phone number is only for informational purposes and to send messages, not for Authentication (2FA).\n\nDeprecated: please use user service v2 SetPhone"
tags: "Users";
tags: "User Human";
deprecated: true;
@@ -1140,7 +1158,11 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 SetPhone
// Remove User Phone (Human)
//
// Deprecated: use user service v2 [user service v2 SetPhone](apis/resources/user_service_v2/user-service-set-phone.api.mdx) instead.
//
// Remove the configured phone number of a user.
rpc RemoveHumanPhone(RemoveHumanPhoneRequest) returns (RemoveHumanPhoneResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/phone"
@@ -1151,8 +1173,6 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Remove User Phone (Human)";
description: "Remove the configured phone number of a user.\n\nDeprecated: please use user service v2 SetPhone"
tags: "Users";
tags: "User Human";
deprecated: true;
@@ -1173,7 +1193,11 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ResendPhoneCode
// Resend User Phone Verification
//
// Deprecated: use user service v2 [user service v2 ResendPhoneCode](apis/resources/user_service_v2/user-service-resend-phone-code.api.mdx) instead.
//
// Resend the notification for the verification of the phone number, to the number stored on the user.
rpc ResendHumanPhoneVerification(ResendHumanPhoneVerificationRequest) returns (ResendHumanPhoneVerificationResponse) {
option (google.api.http) = {
post: "/users/{user_id}/phone/_resend_verification"
@@ -1185,8 +1209,6 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Resend User Phone Verification";
description: "Resend the notification for the verification of the phone number, to the number stored on the user.\n\nDeprecated: please use user service v2 ResendPhoneCode"
tags: "Users";
tags: "User Human";
deprecated: true;
@@ -1238,7 +1260,9 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 SetPassword
// Set Human Initial Password
//
// Deprecated: use [user service v2 SetPassword](apis/resources/user_service_v2/user-service-set-password.api.mdx) instead.
rpc SetHumanInitialPassword(SetHumanInitialPasswordRequest) returns (SetHumanInitialPasswordResponse) {
option (google.api.http) = {
post: "/users/{user_id}/password/_initialize"
@@ -1252,7 +1276,6 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Users";
tags: "User Human";
summary: "Set Human Initial Password\n\nDeprecated: please use user service v2 SetPassword";
deprecated: true;
parameters: {
headers: {
@@ -1265,7 +1288,9 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 SetPassword
// Set User Password
//
// Deprecated: use [user service v2 SetPassword](apis/resources/user_service_v2/user-service-set-password.api.mdx) instead.
rpc SetHumanPassword(SetHumanPasswordRequest) returns (SetHumanPasswordResponse) {
option (google.api.http) = {
post: "/users/{user_id}/password"
@@ -1277,8 +1302,6 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set User Password";
description: "Set a new password for a user. Per default, the user has to change the password on the next login. You can set no_change_required to true, to avoid the change on the next login.\n\nDeprecated: please use user service v2 SetPassword"
tags: "Users";
tags: "User Human";
deprecated: true;
@@ -1299,7 +1322,11 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 PasswordReset
// Send Reset Password Notification
//
// Deprecated: use [user service v2 PasswordReset](apis/resources/user_service_v2/user-service-password-reset.api.mdx) instead.
//
// The user will receive an email with a link to change the password.
rpc SendHumanResetPasswordNotification(SendHumanResetPasswordNotificationRequest) returns (SendHumanResetPasswordNotificationResponse) {
option (google.api.http) = {
post: "/users/{user_id}/password/_reset"
@@ -1311,8 +1338,6 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Send Reset Password Notification";
description: "The user will receive an email with a link to change the password.\n\nDeprecated: please use user service v2 PasswordReset"
tags: "Users";
tags: "User Human";
deprecated: true;
@@ -1629,6 +1654,11 @@ service ManagementService {
};
}
// Update Machine User
//
// Deprecated: use [user service v2 UpdateUser](apis/resources/user_service_v2/user-service-update-user.api.mdx) to update a user of type machine instead.
//
// Change a service account/machine user. It is used for accounts with non-interactive authentication possibilities.
rpc UpdateMachine(UpdateMachineRequest) returns (UpdateMachineResponse) {
option (google.api.http) = {
put: "/users/{user_id}/machine"
@@ -1640,8 +1670,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Update Machine User";
description: "Change a service account/machine user. It is used for accounts with non-interactive authentication possibilities."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1661,6 +1690,11 @@ service ManagementService {
};
}
// Create Secret for Machine User
//
// Deprecated: use [user service v2 AddSecret](apis/resources/user_service_v2/user-service-add-secret.api.mdx) instead.
//
// Create a new secret for a machine user/service account. It is used to authenticate the user (client credential grant).
rpc GenerateMachineSecret(GenerateMachineSecretRequest) returns (GenerateMachineSecretResponse) {
option (google.api.http) = {
put: "/users/{user_id}/secret"
@@ -1672,8 +1706,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create Secret for Machine User";
description: "Create a new secret for a machine user/service account. It is used to authenticate the user (client credential grant)."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1693,6 +1726,11 @@ service ManagementService {
};
}
// Delete Secret of Machine User
//
// Deprecated: use [user service v2 RemoveSecret](apis/resources/user_service_v2/user-service-remove-secret.api.mdx) instead.
//
// Delete a secret of a machine user/service account. The user will not be able to authenticate with the secret afterward.
rpc RemoveMachineSecret(RemoveMachineSecretRequest) returns (RemoveMachineSecretResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/secret"
@@ -1703,8 +1741,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Delete Secret of Machine User";
description: "Delete a secret of a machine user/service account. The user will not be able to authenticate with the secret afterward."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1724,6 +1761,11 @@ service ManagementService {
};
}
// Get Machine user Key By ID
//
// Deprecated: use [user service v2 ListKeys](apis/resources/user_service_v2/user-service-list-keys.api.mdx) instead.
//
// Get a specific Key of a machine user by its id. Machine keys are used to authenticate with jwt profile authentication.
rpc GetMachineKeyByIDs(GetMachineKeyByIDsRequest) returns (GetMachineKeyByIDsResponse) {
option (google.api.http) = {
get: "/users/{user_id}/keys/{key_id}"
@@ -1734,8 +1776,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get Machine user Key By ID";
description: "Get a specific Key of a machine user by its id. Machine keys are used to authenticate with jwt profile authentication."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1755,6 +1796,11 @@ service ManagementService {
};
}
// Get Machine user Key By ID
//
// Deprecated: use [user service v2 ListKeys](apis/resources/user_service_v2/user-service-list-keys.api.mdx) instead.
//
// Get the list of keys of a machine user. Machine keys are used to authenticate with jwt profile authentication.
rpc ListMachineKeys(ListMachineKeysRequest) returns (ListMachineKeysResponse) {
option (google.api.http) = {
post: "/users/{user_id}/keys/_search"
@@ -1766,8 +1812,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get Machine user Key By ID";
description: "Get the list of keys of a machine user. Machine keys are used to authenticate with jwt profile authentication."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1787,6 +1832,14 @@ service ManagementService {
};
}
// Create Key for machine user
//
// Deprecated: use [user service v2 AddKey](apis/resources/user_service_v2/user-service-add-key.api.mdx) instead.
//
// If a public key is not supplied, a new key is generated and will be returned in the response.
// Make sure to store the returned key.
// If an RSA public key is supplied, the private key is omitted from the response.
// Machine keys are used to authenticate with jwt profile.
rpc AddMachineKey(AddMachineKeyRequest) returns (AddMachineKeyResponse) {
option (google.api.http) = {
post: "/users/{user_id}/keys"
@@ -1798,8 +1851,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create Key for machine user";
description: "If a public key is not supplied, a new key is generated and will be returned in the response. Make sure to store the returned key. If an RSA public key is supplied, the private key is omitted from the response. Machine keys are used to authenticate with jwt profile."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1819,6 +1871,12 @@ service ManagementService {
};
}
// Delete Key for machine user
//
// Deprecated: use [user service v2 RemoveKey](apis/resources/user_service_v2/user-service-remove-key.api.mdx) instead.
//
// Delete a specific key from a user.
// The user will not be able to authenticate with that key afterward.
rpc RemoveMachineKey(RemoveMachineKeyRequest) returns (RemoveMachineKeyResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/keys/{key_id}"
@@ -1829,8 +1887,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Delete Key for machine user";
description: "Delete a specific key from a user. The user will not be able to authenticate with that key afterward."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1850,6 +1907,11 @@ service ManagementService {
};
}
// Get Personal-Access-Token (PAT) by ID
//
// Deprecated: use [user service v2 ListPersonalAccessTokens](apis/resources/user_service_v2/user-service-list-personal-access-tokens.api.mdx) instead.
//
// Returns the PAT for a user, currently only available for machine users/service accounts. PATs are ready-to-use tokens and can be sent directly in the authentication header.
rpc GetPersonalAccessTokenByIDs(GetPersonalAccessTokenByIDsRequest) returns (GetPersonalAccessTokenByIDsResponse) {
option (google.api.http) = {
get: "/users/{user_id}/pats/{token_id}"
@@ -1860,8 +1922,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get a Personal-Access-Token (PAT) by ID";
description: "Returns the PAT for a user, currently only available for machine users/service accounts. PATs are ready-to-use tokens and can be sent directly in the authentication header."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1881,6 +1942,11 @@ service ManagementService {
};
}
// List Personal-Access-Tokens (PATs)
//
// Deprecated: use [user service v2 ListPersonalAccessTokens](apis/resources/user_service_v2/user-service-list-personal-access-tokens.api.mdx) instead.
//
// Returns a list of PATs for a user, currently only available for machine users/service accounts. PATs are ready-to-use tokens and can be sent directly in the authentication header.
rpc ListPersonalAccessTokens(ListPersonalAccessTokensRequest) returns (ListPersonalAccessTokensResponse) {
option (google.api.http) = {
post: "/users/{user_id}/pats/_search"
@@ -1892,8 +1958,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get a Personal-Access-Token (PAT) by ID";
description: "Returns a list of PATs for a user, currently only available for machine users/service accounts. PATs are ready-to-use tokens and can be sent directly in the authentication header."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1913,6 +1978,13 @@ service ManagementService {
};
}
// Create a Personal-Access-Token (PAT)
//
// Deprecated: use [user service v2 AddPersonalAccessToken](apis/resources/user_service_v2/user-service-add-personal-access-token.api.mdx) instead.
//
// Generates a new PAT for the user. Currently only available for machine users.
// The token will be returned in the response, make sure to store it.
// PATs are ready-to-use tokens and can be sent directly in the authentication header.
rpc AddPersonalAccessToken(AddPersonalAccessTokenRequest) returns (AddPersonalAccessTokenResponse) {
option (google.api.http) = {
post: "/users/{user_id}/pats"
@@ -1924,8 +1996,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create a Personal-Access-Token (PAT)";
description: "Generates a new PAT for the user. Currently only available for machine users. The token will be returned in the response, make sure to store it. PATs are ready-to-use tokens and can be sent directly in the authentication header."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -1945,6 +2016,11 @@ service ManagementService {
};
}
// Remove a Personal-Access-Token (PAT) by ID
//
// Deprecated: use [user service v2 RemovePersonalAccessToken](apis/resources/user_service_v2/user-service-remove-personal-access-token.api.mdx) instead.
//
// Delete a PAT from a user. Afterward, the user will not be able to authenticate with that token anymore.
rpc RemovePersonalAccessToken(RemovePersonalAccessTokenRequest) returns (RemovePersonalAccessTokenResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/pats/{token_id}"
@@ -1955,8 +2031,7 @@ service ManagementService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get a Personal-Access-Token (PAT) by ID";
description: "Delete a PAT from a user. Afterward, the user will not be able to authenticate with that token anymore."
deprecated: true;
tags: "Users";
tags: "User Machine";
responses: {
@@ -2003,7 +2078,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RemoveLinkedIDP
// Deprecated: please use [user service v2 RemoveIDPLink](apis/resources/user_service_v2/user-service-remove-idp-link.api.mdx)
rpc RemoveHumanLinkedIDP(RemoveHumanLinkedIDPRequest) returns (RemoveHumanLinkedIDPResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/idps/{idp_id}/{linked_user_id}"

66
proto/zitadel/project/v2beta/query.proto
View File

@@ -185,10 +185,10 @@ message ProjectSearchFilter {
option (validate.required) = true;
ProjectNameFilter project_name_filter = 1;
InProjectIDsFilter in_project_ids_filter = 2;
ProjectResourceOwnerFilter project_resource_owner_filter = 3;
ProjectGrantResourceOwnerFilter project_grant_resource_owner_filter = 4;
ProjectOrganizationIDFilter project_organization_id_filter = 5;
zitadel.filter.v2beta.InIDsFilter in_project_ids_filter = 2;
zitadel.filter.v2beta.IDFilter project_resource_owner_filter = 3;
zitadel.filter.v2beta.IDFilter project_grant_resource_owner_filter = 4;
zitadel.filter.v2beta.IDFilter project_organization_id_filter = 5;
}
}
@@ -210,68 +210,18 @@ message ProjectNameFilter {
];
}
message InProjectIDsFilter {
// Defines the ids to query for.
repeated string project_ids = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the ids of the projects to include"
example: "[\"69629023906488334\",\"69622366012355662\"]";
}
];
}
message ProjectResourceOwnerFilter {
// Defines the ID of organization the project belongs to query for.
string project_resource_owner = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
}
message ProjectGrantResourceOwnerFilter {
// Defines the ID of organization the project grant belongs to query for.
string project_grant_resource_owner = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
}
message ProjectOrganizationIDFilter {
// Defines the ID of organization the project and granted project belong to query for.
string project_organization_id = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
}
message ProjectGrantSearchFilter {
oneof filter {
option (validate.required) = true;
ProjectNameFilter project_name_filter = 1;
ProjectRoleKeyFilter role_key_filter = 2;
InProjectIDsFilter in_project_ids_filter = 3;
ProjectResourceOwnerFilter project_resource_owner_filter = 4;
ProjectGrantResourceOwnerFilter project_grant_resource_owner_filter = 5;
zitadel.filter.v2beta.InIDsFilter in_project_ids_filter = 3;
zitadel.filter.v2beta.IDFilter project_resource_owner_filter = 4;
zitadel.filter.v2beta.IDFilter project_grant_resource_owner_filter = 5;
}
}
message GrantedOrganizationIDFilter {
// Defines the ID of organization the project is granted to query for.
string granted_organization_id = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
}
message ProjectRole {
// ID of the project.
string project_id = 1 [
@@ -344,4 +294,4 @@ message ProjectRoleDisplayNameFilter {
zitadel.filter.v2beta.TextFilterMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}
}

2
proto/zitadel/user/v2/email.proto
View File

@@ -19,7 +19,7 @@ message SetHumanEmail {
example: "\"mini@mouse.com\"";
}
];
// if no verification is specified, an email is sent with the default url
// If no verification is specified, an email is sent with the default url
oneof verification {
SendEmailVerificationCode send_code = 2;
ReturnEmailVerificationCode return_code = 3;

69
proto/zitadel/user/v2/key.proto Normal file
View File

@@ -0,0 +1,69 @@
syntax = "proto3";
package zitadel.user.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
import "protoc-gen-openapiv2/options/annotations.proto";
import "google/protobuf/timestamp.proto";
import "validate/validate.proto";
import "zitadel/filter/v2/filter.proto";
message Key {
// The timestamp of the key creation.
google.protobuf.Timestamp creation_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the last change of the key.
google.protobuf.Timestamp change_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The unique identifier of the key.
string id = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The unique identifier of the user the key belongs to.
string user_id = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The unique identifier of the organization the key belongs to.
string organization_id = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The keys expiration date.
google.protobuf.Timestamp expiration_date = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message KeysSearchFilter {
oneof filter {
option (validate.required) = true;
zitadel.filter.v2.IDFilter key_id_filter = 1;
zitadel.filter.v2.IDFilter user_id_filter = 2;
zitadel.filter.v2.IDFilter organization_id_filter = 3;
zitadel.filter.v2.TimestampFilter created_date_filter = 4;
zitadel.filter.v2.TimestampFilter expiration_date_filter = 5;
}
}
enum KeyFieldName {
KEY_FIELD_NAME_UNSPECIFIED = 0;
KEY_FIELD_NAME_CREATED_DATE = 1;
KEY_FIELD_NAME_ID = 2;
KEY_FIELD_NAME_USER_ID = 3;
KEY_FIELD_NAME_ORGANIZATION_ID = 4;
KEY_FIELD_NAME_KEY_EXPIRATION_DATE = 5;
}

70
proto/zitadel/user/v2/pat.proto Normal file
View File

@@ -0,0 +1,70 @@
syntax = "proto3";
package zitadel.user.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
import "protoc-gen-openapiv2/options/annotations.proto";
import "google/protobuf/timestamp.proto";
import "validate/validate.proto";
import "zitadel/filter/v2/filter.proto";
message PersonalAccessToken {
// The timestamp of the personal access token creation.
google.protobuf.Timestamp creation_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the last change of the personal access token.
google.protobuf.Timestamp change_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The unique identifier of the personal access token.
string id = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The unique identifier of the user the personal access token belongs to.
string user_id = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The unique identifier of the organization the personal access token belongs to.
string organization_id = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The personal access tokens expiration date.
google.protobuf.Timestamp expiration_date = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message PersonalAccessTokensSearchFilter {
oneof filter {
option (validate.required) = true;
zitadel.filter.v2.IDFilter token_id_filter = 1;
zitadel.filter.v2.IDFilter user_id_filter = 2;
zitadel.filter.v2.IDFilter organization_id_filter = 3;
zitadel.filter.v2.TimestampFilter created_date_filter = 4;
zitadel.filter.v2.TimestampFilter expiration_date_filter = 5;
}
}
enum PersonalAccessTokenFieldName {
PERSONAL_ACCESS_TOKEN_FIELD_NAME_UNSPECIFIED = 0;
PERSONAL_ACCESS_TOKEN_FIELD_NAME_CREATED_DATE = 1;
PERSONAL_ACCESS_TOKEN_FIELD_NAME_ID = 2;
PERSONAL_ACCESS_TOKEN_FIELD_NAME_USER_ID = 3;
PERSONAL_ACCESS_TOKEN_FIELD_NAME_ORGANIZATION_ID = 4;
PERSONAL_ACCESS_TOKEN_FIELD_NAME_EXPIRATION_DATE = 5;
}

1186
proto/zitadel/user/v2/user_service.proto
View File

File diff suppressed because it is too large Load Diff